Security Experts Analysis Of FBI Crime Report

In its new FBI Internet Crime Report, the FBI said it received 467,361 internet and cyber-crime complaints in 2019, and that almost half of the reported losses — an estimated $1.77 billion — came from reports of BEC (Business Email Compromise), also known as EAC (Email Account Compromise) crimes.

FBI Internet Crime Report 2019: https://pdf.ic3.gov/2019_IC3Report.pdf

Experts Comments

February 14, 2020
Andy Harcup
VP EMEA
Absolute Software
These figures reinforce the fact that cyber-crime is a lucrative business worth billion, a statistic that will only encourage an increase in illegal activity in the long-term. Despite these troubling headlines, many businesses are still not getting the message about the risk posed by hackers, who are seeking to exploit security vulnerabilities in all areas of organisations. Increasingly, mobile devices used by workers on the move are a target for cyber-criminals, and the sheer amount of.....Read More
These figures reinforce the fact that cyber-crime is a lucrative business worth billion, a statistic that will only encourage an increase in illegal activity in the long-term. Despite these troubling headlines, many businesses are still not getting the message about the risk posed by hackers, who are seeking to exploit security vulnerabilities in all areas of organisations. Increasingly, mobile devices used by workers on the move are a target for cyber-criminals, and the sheer amount of mobile threats is growing much faster than it did for PCs. The reason portable devices are major targets is that they are full of personal and financial information. For example, most devices have banking features backed up inside that are rich pickings for hackers. Cyber criminals are always hunting for security weaknesses in businesses, so it is crucial that those vulnerabilities are spotted and remediated by automated cyber security technology. All organisations must put resilience at the heart of every security strategy, to boost the cyber immune system through self-healing endpoint security systems and keep criminals locked out.”  Read Less
February 13, 2020
Tal Zamir
Founder and CTO
Hysolate
According to the FBI, both the number of ransomware incidents and the total ransomware-related losses continued to increase in 2019. It's interesting to see this trend gaining momentum regardless of the ever-increasing investment in cybersecurity solutions that should have stopped ransomware from infecting user devices and causing damage. Typical anti-ransomware solutions use endpoint security agents that are embedded in the operating system and try to protect it from malicious software......Read More
According to the FBI, both the number of ransomware incidents and the total ransomware-related losses continued to increase in 2019. It's interesting to see this trend gaining momentum regardless of the ever-increasing investment in cybersecurity solutions that should have stopped ransomware from infecting user devices and causing damage. Typical anti-ransomware solutions use endpoint security agents that are embedded in the operating system and try to protect it from malicious software. However, this approach is bound to fail as the underlying operating systems are bloated monolithic operating systems written decades ago and have hundreds of millions of potentially vulnerable lines of code. The current cat-and-mouse approach to fighting ransomware will not solve the problem - enterprises and individuals seeking to protect themselves against ransomware should consider fully segregating/isolating their sensitive resources, both local files and access to sensitive cloud resources.  Read Less
February 13, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
Business Email compromise, or (BEC), has been around for a number of years, but continues to evolve, bringing with it significant losses and frustration. It is typical for BEC scams to mimic executives or managers within organizations in order to use their authority to convince employees to perform unusual or dangerous actions that result in redirected funds. This same basic scheme of pretending to be someone they are not, is used to get people to purchase gift cards, pay fake invoices,.....Read More
Business Email compromise, or (BEC), has been around for a number of years, but continues to evolve, bringing with it significant losses and frustration. It is typical for BEC scams to mimic executives or managers within organizations in order to use their authority to convince employees to perform unusual or dangerous actions that result in redirected funds. This same basic scheme of pretending to be someone they are not, is used to get people to purchase gift cards, pay fake invoices, redirect paychecks and even redirect down payments and escrow funds in real estate transactions. There is no limit to the types of attempted scams using the moniker of executive leadership. These phishing attacks often rely on emotional triggers to do their dirty work. This includes the fear of disappointing the boss and losing their job, the promise of something for nothing, or even just the feeling of being helpful. These attacks will always include a sense of urgency in an effort to keep people from asking questions or applying critical thinking to the situation. In all my years of watching these attacks, I have yet to see one asking people to take their time completing whatever task has been provided. The most effective method to defend against these attacks is to train users about the methods being used, and also teaching them the signs to look for in emails to see if they are genuine. Checking the "reply-to" address and hovering over any links in the emails looking for misdirection is crucial to spotting these scams. In addition, a simple policy that states that any emails requesting a monetary transfer over a certain amount must be confirmed with a phone call to a known good phone number. Simply picking up the phone to confirm the request, whether it be for a wire transfer or a request to purchase gift cards, can stop these attacks in their tracks. When dealing with real estate transactions, it is becoming more common to see a section on the contract that specifies the only account number that will be used for transferring down payments or escrow deposits.This is a step that protects the organization and the purchaser against scammers trying to redirect these funds.  Read Less
February 13, 2020
Paul Gagliardi
Head of Threat Intelligence and CISO
SecurityScorecard
I initially thought this might be Iran or nation state related as the oil and gas, critical infrastructure caught my eye. Open source intelligence seems to greatly concur that this is indeed a criminal group, Orangeworm, and not a nation state. They are quite sophisticated in their selective targeting, pivoting, long term data collection investment, and tool development. For criminal groups they are up there in terms of maturity. Normally the targeting of industrial control system companies or.....Read More
I initially thought this might be Iran or nation state related as the oil and gas, critical infrastructure caught my eye. Open source intelligence seems to greatly concur that this is indeed a criminal group, Orangeworm, and not a nation state. They are quite sophisticated in their selective targeting, pivoting, long term data collection investment, and tool development. For criminal groups they are up there in terms of maturity. Normally the targeting of industrial control system companies or the systems themselves is reserved for well-funded nation state groups. However, we've seen this type of targeted attacks on oil and gas industries before by the "Seldon" phishing criminal group out of Russia - although Orangeworm appears to be much more sophisticated. Targeting critical infrastructure requires domain knowledge outside of just writing and deploying Windows malware. This includes knowing the operational technology processes and process controls, nonstandard or proprietary "OS" based PLCs, the movement cross air gaps and different communication protocols, often proprietary, than are often used on the regular internet. This is not to say a criminal group cannot achieve acquiring this knowledge, but there doesn't really seem to be a precedent for it yet. Additionally, you don't necessarily need to write the next "Stuxnet" to do considerable reputational or economic harm to critical infrastructure companies. Or to make money off them - which I'm guessing is the goal here. If the group are targeting the manufacturers or suppliers of industrial control system devices, it is actually quite an interesting and fantastic way to get a potential, frightening foothold in any organization that uses that technology. By somehow infecting some device or software in the supply chain of a PLC, and having that deployed to an energy company that uses that PLC would require, again, some advanced knowledge of how these devices work and are used, and that information is not impossible to acquire.  Read Less
February 13, 2020
Ed Macnair
CEO
Censornet
These findings from the FBI are shocking but unfortunately just confirm what we have already seen in the security market - that email attacks remain the most popular types of attack for criminals. This may be surprising for some readers who might think email has been around long enough to be protected, or might have suspected more complex malware based attacks such as ransomware to be more prevalent. However, remember that complex attacks are also expensive and complicated for criminals to.....Read More
These findings from the FBI are shocking but unfortunately just confirm what we have already seen in the security market - that email attacks remain the most popular types of attack for criminals. This may be surprising for some readers who might think email has been around long enough to be protected, or might have suspected more complex malware based attacks such as ransomware to be more prevalent. However, remember that complex attacks are also expensive and complicated for criminals to execute. Email attacks, on the other hand, are relatively simple, cheap and easy for criminals to execute. While organisations still remain vulnerable to such attacks, why would criminals spend time and effort trying something else? Many organisations remain vulnerable to email attacks because criminals have updated their methods to stay ahead of traditional email security. Most businesses are protected against the volume spam email campaigns that were once in vogue. In response, criminals have turned to Business Email Compromise (BEC) attacks - highly targeted phishing campaigns aimed at "high value" individuals in the business, such as the CEO or the finance department. By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost. These attacks are harder for traditional pattern-matching techniques to catch so organisations have to update their email security technology in kind. Multi-layered content analysis, which thoroughly checks each individual feature of an email before it gets to the sender, has proved effective at stopping these very convincing spoof emails, which led to almost two billion dollars lost in the US in the last year alone.  Read Less
February 13, 2020
Stuart Reed
UK Director
Orange Cyberdefense
Data from the internet crime complaint centre revealing that criminals netted $3.5bn from crimes reported to the FBI in 2019 highlights the very real issue of spotting a fake. The advice to consumers is plentiful – from spotting dubious websites to identifying phishing emails – and eventually this will become fundamental cyber-savviness that we’ll all need to have. There is also a responsibility on businesses, however, to ensure that their websites aren’t spoofed and that they are.....Read More
Data from the internet crime complaint centre revealing that criminals netted $3.5bn from crimes reported to the FBI in 2019 highlights the very real issue of spotting a fake. The advice to consumers is plentiful – from spotting dubious websites to identifying phishing emails – and eventually this will become fundamental cyber-savviness that we’ll all need to have. There is also a responsibility on businesses, however, to ensure that their websites aren’t spoofed and that they are tracking and monitoring this to protect their customers. As well as monitoring their own domain for malicious activity it is also important for them to monitor those with brand adjacencies; a malicious domain that is set up using a credible brand in an attempt to prevent the end-user from spotting the fake.  Read Less
February 13, 2020
Paul Bischoff
Privacy Advocate
Comparitech
The FBI's report states the bureau received 68,013 complaints from victims over the age of 60 with adjusted losses in excess of $835 million. Elder fraud is hugely underreported, with some estimates saying fewer than 1 in 23 cases actually reported to authorities. Based on those figures, our own analysis shows seniors lose $27 billion to elder financial abuse every year. Much of this is perpetrated by people close to the victims, such as family members and caregivers. Tech support fraud:.....Read More
The FBI's report states the bureau received 68,013 complaints from victims over the age of 60 with adjusted losses in excess of $835 million. Elder fraud is hugely underreported, with some estimates saying fewer than 1 in 23 cases actually reported to authorities. Based on those figures, our own analysis shows seniors lose $27 billion to elder financial abuse every year. Much of this is perpetrated by people close to the victims, such as family members and caregivers. Tech support fraud: Tech support scams are a fast-growing problem according to the Bureau's report. Microsoft is the most commonly impersonated company in these scams, and given that it leaked a huge customer service database earlier this year, that's likely to continue. Ransomware: “The FBI received 2,047 ransomware complaints accounting for losses of $8.9 million. I don't know how the FBI adjusts for losses, but that seems like a very conservative estimate. Our analysis shows healthcare providers alone suffered an estimated $157 million in ransomware damages since 2016 if you factor in downtime caused by the disruption. Hospitals and other healthcare providers paid over $600,000 in ransom, but that's a small fraction of the total damage that ransomware caused. Phishing: Phishing is far and away the most common type of cybercrime, with nearly double the number of victims as second-place non-payment scams, according to the FBI report. For criminals, phishing is cheap, easy, difficult to trace, and often effective. It frequently leads to other types of attacks, including ransomware, data breaches, identity theft, and email account compromise. Phishing leverages the weakest point of cybersecurity: humans. No matter how much technology we put into protecting data and computer systems, it seems human error will always be a threat. I think anti-phishing awareness and staff training should be a top priority for businesses in particular.  Read Less
February 13, 2020
Patrick Hamilton
Security Evangelist
Lucy Security
It’s well known that email is the most frequent form of attack, it’s well known that email is most easily compromised, and it’s well known that scammers rely on deception. Email is a perfect storm—not because of sophisticated attacks—but because of the things that make users vulnerable: being in a rush, being stressed out, losing focus, fear of loss, wanting to look good, and greed. Sounds like the world of business to me. People need “advanced threat detection” much less than.....Read More
It’s well known that email is the most frequent form of attack, it’s well known that email is most easily compromised, and it’s well known that scammers rely on deception. Email is a perfect storm—not because of sophisticated attacks—but because of the things that make users vulnerable: being in a rush, being stressed out, losing focus, fear of loss, wanting to look good, and greed. Sounds like the world of business to me. People need “advanced threat detection” much less than they need counseling and training.  Read Less
February 13, 2020
Colin Bastable
CEO
Lucy Security
BEC is commonly referred to as CEO fraud, because it relies on the exploitation of authority figures and the sense of urgency that loyal subordinates have for the boss. The C Suite can be an invaluable ally for hackers, because they often over-ride rules and processes “to get the job done!” While BEC hackers rarely need to be super-hackers, they do need to be patient sleuths and good social engineers. Mapping out the company hierarchy, checking travel plans of senior “golden key.....Read More
BEC is commonly referred to as CEO fraud, because it relies on the exploitation of authority figures and the sense of urgency that loyal subordinates have for the boss. The C Suite can be an invaluable ally for hackers, because they often over-ride rules and processes “to get the job done!” While BEC hackers rarely need to be super-hackers, they do need to be patient sleuths and good social engineers. Mapping out the company hierarchy, checking travel plans of senior “golden key holders” and working social media, they are well informed. A recent variation on the theme is the Vendor Email Compromise, where the hacker takes the role of a supplier and intercepts vendor payments. To defend themselves, organizations need to encourage subordinates to stick to the rules and resist pressure from the C Suite to make exceptions, use personal email and act with excessive haste. At Lucy, we find that many C Suite and VP-level staff exempt themselves from simulated trainings, because they fear the embarrassment of being caught. BEC fraud does not respect seniority, and it pays exceedingly well!  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.